April Monthly Roundup

April brought with it some of the biggest security news any of us have seen in quite some time. With the end of Windows XP support and the newfound vulnerability, Heartbleed, we were hard at work at Kaspersky Lab staying up to date on all the latest breaking updates in order to continue to offer you the best protection solutions available. If you missed any of our coverage or any of our posts from the month, it’s time to catch up now!

This month brought with it one of the largest security stories we’ve seen recently, when a serious encryption flaw – dubbed Heartbleed – was discovered in OpenSSL. This was perhaps the most widely deployed encryption library on the Internet. When you establish an encrypted connection to a website, whether it’s Google, Facebook, or your bank’s online branch, the data is encrypted using the SSL/TLS protocol, and many popular web servers utilize this open-source OpenSSL library to do the job for them. The maintainers of OpenSSL released a fix for a serious bug in the implementation of TLS feature called “Heartbeat,” which had the potential to reveal up to 64 kB of server memory to an attacker, allowing anyone on the Internet to read the memory of a machine that was protected by a vulnerable version of the library. Worst-case scenario: this small block of memory could contain something sensitive, like: a user name, password, or the private key that’s used by the server to keep connections encrypted. Heartbleed leaves no traces, so there is no definite way to tell if a server was hacked and what kind of data was stolen. There is no way to guarantee that those sites and services affected by Heartbleed are implementing the patch that mitigates it, and it’s apparently pretty easy to exploit and may have existed for as long as two years. So what do you need to do? Check out our list of affected services and change all of your passwords immediately.

A cryptographic hash function – often referred to simply as a hash – is a mathematical algorithm that transforms any arbitrary block of data into a string of new characters of a fixed length. Regardless of the length of the input data, the same type of hash will always output a hash value of the same length. The most common use of hashing has to do with passwords, For example, if you ever forget your password to some online service and have to perform a reset, you generally don’t receive your plaintext password in return. That’s because the online service stores a hash value for that password and actually has no idea what your real password is. You can also hash media files, and most importantly (at least for us), it can be used in the practice of malware detection by Antivirus firms like Kaspersky Lab. One way antivirus engines recognize, and ultimately block, malware is by comparing file hashes to their own (and also public) malware signature repositories. Furthermore, there are any number of malware hash value blacklists, most of which are publicly available. These malware hash – or malware signature – blacklists consist of the hash values of malware or the hash values of smaller and recognizable components of malware. If a user finds a suspicious file, that user can enter its hash value into one of the many publicly available malware hash registries or databases, which will inform the user as to whether the file is malicious or not. Finally, there are also Cryptographic hash functions that are used to ensure message integrity. In other words, you can ensure that communication or files have not been tampered with by examining a hash output generated both before and after the data transmission. If the before and after hashes are identical, then the transmission is said to be authentic.

There are hardly any people who don’t use Internet messaging nowadays. WhatsApp, Skype, Viber, ICQ, and about a dozen other, less popular messengers, including built-in messaging capabilities in Facebook, LinkedIn, and alike, process billions of messages daily. However, with instant messaging services enjoying such popularity, an issue of privacy of message exchange comes to light. Today, regular instant messengers are hard to trust when it comes to privacy. There are, of course, safer alternatives, but can they substitute for Skype and WhatsApp? In order to be sent, any message of whatever nature is recorded on local storage volumes on the sender’s and recipient’s systems, transferred via wired or wireless networks and then processed by the service’s server. And if someone can, to some extent, control the access to the messaging history in the first case, the rest of the path the message travels is completely out of control. Although encryption can help, it is not completely foolproof. There are apps and services available that provide a level of security fully compliant with officially proclaimed features and are able to substantially protect the access to correspondence from third-party assaults, like Threema, Silent Circle and TextSecure, but they have yet to fully launch and no cryptomessenger is truly ideal. You must compromise on your budget, ease of use or security level in this case. A paid VPN access for your system is about $5 a month, yet it might save you from threats coming from public Wi-Fi networks. As for keyloggers and other malware, there are reliable protection suites like ours. With such protection means at hand, just add any XMPP/Jabber-based messenger and rest assured your communication on the Internet is safe.

Today, regular instant messengers are hard to trust when it comes to privacy. There are, of course safer alternatives, but can they substitute for Skype and WhatsApp?

Financial fraud remains one of the most dangerous kinds of activity that a malware might perform after infecting your computer. So called “banking Trojans” are able to inject themselves between you and your bank, manipulating your funds and redirecting your payments to criminals’ bank accounts. To counter this threat, most banks utilize “Two-factor authentication“, which is typically implemented via SMS. When you try to transfer funds online, you must approve the transaction using your password, plus a one-time password (OTP, mTAN) sent via text message to your smartphone. To counteract this security measure, criminals have developed a scheme in which they try to infect both your computer and smartphone to steal your password and mTAN at the same time. This scheme was first introduced in the Zeus/ZitMo malware duo, and it proved quite effective. Recently, the same concept was implemented in the Android malware called Faketoken. Unfortunately, it is quite effective and a recent report, “IT threat evolution Q1 2014” published by Kaspersky Lab, indicates that Faketoken reached #13 in the Top 20 mobile threats “hit parade”, accounting for 4.5% of all infections. During the first three months of 2014, Kaspersky Lab detected attacks involving this threat in 55 countries, including: Germany, Sweden, France, Italy, the UK, and the US. To mitigate the risk, users must utilize Multi-Device protection, i.e. using a dedicated security solution both on PC and Android smartphone.

One of the biggest news headlines in April was Heartbleed. This is a serious security vulnerability in OpenSSL that is nearly ubiquitous. OpenSSL is an open-source cryptographic library that is deployed by perhaps as many as two-thirds of the Internet’s websites to implement secure SSL and TLS encrypted connections. Attacks targeting the Heartbleed vulnerability, which is reportedly pretty easy to exploit and very difficult to detect, could have dire consequences for everyday Internet users. A successful exploit of the bug could expose private certificate keys, username and password combinations, and a variety of other sensitive data, making it a very big deal on the security front. In not quite as big, but certainly still important news, Tuesday, April 8, 2014, marked the very last time Microsoft would issue public security fixes for its more-than-12-year-old Windows XP operating system. This is problematic, given the fact that XP is still a dominant operating system. For a full run-down on what this all means, you can read this brief look at the history and future of Windows XP, which was at one time the world’s most ubiquitous operating system.

Attacks targeting the #Heartbleed vulnerability could have dire consequences for everyday Internet users.

On October 25, 2001, Microsoft launched its newest operating system solution: Windows XP. In just three days, Microsoft sold over 300,000 boxed XPs: the new OS featured a number of tasty features, including: a revamped GUI, integrated CD burning software, ClearType font smoothing to work with LCD displays, Picture and fax viewer, fast user switching and a number of other advantages. Meanwhile, the revolutionary changes were done under the hood of the new OS: the core of XP was based on the more stable and safe enterprise-grade NT architecture rather than Windows 95/98. This mixture of stable core and improved feature-packed UI was to become Microsoft’s most popular OS for a decade to come. Microsoft had prolonged the support of XP to 12 years instead of the typical 10 years and launched three major Service Packs to significantly improve and update the OS. But all good things must come to an end, and for XP, that end was April 8, 2014. It’s been years since Microsoft added any new features to XP, and today the last patch for newly found vulnerabilities and security threats is due. While you can still use XP, these patches will no longer be available in the future, which means that any breaches in its security will be left unattended. These factors make your PC run a higher risk of infection. However, unlike Microsoft, Kaspersky Lab will not stop supporting XP-based systems. For at least the next two years, both current and future products will be compatible with XP, protecting users from up-to-date threats.